Enabling Integrated Windows Authentication for ADFS 3.0 or 4.0

Complete this task to enable Integrated Windows Authentication (IWA) on Active Directory Federation Services (ADFS) 3.0 or 4.0.

Procedure

  1. On the ADFS server, run PowerShell as administrator.
  2. Use the following PowerShell commands to view the current ADFS settings:
    $FormatEnumerationLimit=-1
    Get-ADFSProperties
  3. If you have Notes client or Chrome browser users, use the following PowerShell command to turn off extended protection for authentication:
    Set-ADFSProperties –ExtendedProtectionTokenCheck None
  4. Use the following PowerShell commands to specify the user agents (clients and browsers) that can participate in IWA:
    1. Determine which user agents are used currently.
      Get-AdfsProperties | select -ExpandProperty WiaSupportedUserAgents
      Note the output from the command.
    2. Specify the user agents that can participate in IWA:
      Set-ADFSProperties -WIASupportedUserAgents @("<user_agent>", "<user_agent>","<user_agent>")
      where "<user_agent>" is each user agent noted in the output from the previous step.
      Note: If you are configuring IWA for Notes federated login, you must also specify the browser embedded in the Notes client. For Notes V10 and earlier clients, specify Mozilla/4.0. For Notes V11 and later clients, specify Mozilla/5.0.
      For example:
      Set-ADFSProperties -WIASupportedUserAgents @("MSIE 6.0", "MSIE 7.0", "MSIE 8.0", "MSIE 9.0", "MSIE 10.0", "Trident/7.0", "MSIPC", "Windows Rights Management Client","MS_WorkFoldersClient" ,"=~Windows\s*NT.*Edge", "Firefox/25.0", "Firefox/47.0", "Mozilla/4.0", "Mozilla/5.0")
    3. Verify that the user agents specified in the previous step are configured:
      Get-AdfsProperties | select -ExpandProperty WiaSupportedUserAgents
  5. Use the following PowerShell commands again to confirm the setting changes:
    $FormatEnumerationLimit=-1
    Get-ADFSProperties
  6. Complete the following steps to set ADFS to use IWA:
    • For ADFS 4.0:
      1. Open ADFS Management.
      2. Click Service > Authentication Methods.
      3. Click Edit Primary Authentication Methods.
      4. In the Primary authentication tab, intranet section, select Windows Authentication. Optionally select Forms Authentication. Forms Authentication allows users who cannot use IWA, such as Linux and Mac users, to authenticate with SAML.
    • For ADFS 3.0:
      1. Open ADFS Management.
      2. Click Authentication Policies.
      3. Click Edit Global Primary Authentication.
      4. In Primary Authentication, Global Settings, Authentication Methods, click Edit.
      5. In the intranet section, select Windows Authentication. Optionally select Forms Authentication. Forms Authentication allows users who cannot use IWA, such as Linux and Mac users, to authenticate with SAML.
  7. Restart the ADFS service.